The joy of open, agile government security compliance

CivicActions
Jul 31, 2019 · 2 min read

At DrupalGovCon 2019, CivicActions’ Chief Information Security Officer Fen Labalme shared how to transform the cumbersome process of security compliance by using agile methods and automation. Fen knows that security is especially important for our government clients, and believes that the existing culture of compliance doesn’t have to be a barrier to transforming the way they deliver digital services to the public.

In this session, Fen talks about strategies to automate the process of creating a System Security Plan (SSP), documentation that is required to be granted an Authority to Operate (ATO). By creating a shared library of reusable security controls organized by high-level system components, we’re helping agencies build systems that are both compliant and more secure.

Watch Fen Labalme’s talk at DrupalGovCon, July 2019.

“Compliance is not security — compliance is check boxes. I am building systems that are secure as well as compliant.”— Fen

Highlights

  • 1:00 — An overview of Fen’s involvement in IT security — starting in 1977!
  • 5:25 — All about security compliance for government: FISMA and ATOs
  • 9:50 — Why compliance is not security
  • 11:50 — How the government is updating risk management
  • 15:00 — Why System Security Plans and ATOs are still too static
  • 15:50 — Making security agile
  • 16:15 — Automating the creation of a System Security Plan (SSP)
  • 19:30 — Tools to share control information
  • 20:30 — Creating a reusable library of components for each system
  • 20:52 — Making machine readable open control for easy automation
  • 25:00 — Modules that can help automate Drupal security compliance
  • 26:14 — How to avoid writing another ATO ever again
  • 32:50 — Using automation for continuous authorization
  • 34:00 — Good practices to promote a culture of security
  • 36:45 — CivicActions security team’s continuing efforts to automate security — and share our work with others

Resources

Connect with Fen

CivicActions

Open and Agile Government Digital Services

CivicActions

Written by

Building digital services that work for everyone.

CivicActions

Open and Agile Government Digital Services

More From Medium

More on Civicactions Talks from CivicActions

More on Civicactions Talks from CivicActions

The role of UX in an agile team

More on Civicactions Talks from CivicActions

More on Civicactions Talks from CivicActions

Modular content strategy for Doctors Without Borders

More on Civicactions Talks from CivicActions

More on Civicactions Talks from CivicActions

Migrating static content into Drupal 8

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade